openssl 生成CA並且使用CA簽發證書
阿新 • • 發佈:2021-07-19
./cert-tool.sh ca 365
./cert-tool.sh server 365
#!/bin/bash mkdir -p cert-tool cd cert-tool if [ -n "$2" ]; then day=$2 else day=10000 fi clear_old(){ rm -f cert-tool/* } read -p "rm cert-tool/server*? [Y/n]" input case $input in Y) clear_old ;; y) clear_old ;; esac ca(){ openssl genrsa -out ca.key 2048 openssl req -new -sha256 -out ca.csr -key ca.key -config openssl.cnf openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -days $day openssl x509 -in ca.crt -noout -text } server(){ openssl genrsa -out server.key 2048 openssl req -new -sha256 -out server.csr -key server.key -config openssl.cnf openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days $day -extensions v3_req -extfile openssl.cnf openssl x509 -in server.crt -noout -text } cat > openssl.cnf <<EOF [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Root Group commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = Private Root CA [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = *.deployconfig-operator-system.svc DNS.2 = *.deployconfig-operator-system.svc.cluster.local EOF case $1 in ca) ca ;; server) server ;; *) echo "$0 ca|server" ;; esac